7

I have an ASP.net MVC webapp, which is using Azure AD B2C to authenticate the users. The cookie in ASP.net mvc app is set to expire after 20 minutes rolling timeout. The settings in the AD B2C are as follows :

  • Access and ID token lifetime = 20 minutes
  • refresh token lifetime = 14 days
  • refresh token sliding window lifetime = bounded, 90 days
  • claim representing policy ID = tfp
  • Web app session lifetime = 20 minutes
  • WebApp session timeout = rolling
  • Single Sign on configuration = application
  • request ID token in logout requests = no

Here is the sequence :

  • open the app url
  • login into AD b2c, redirect back to app home page
  • close the tab on browser
  • open the home page url in a new browser tab after 30 minutes
  • due to ASP.net MVC cookie session timeout, app redirects to AD B2C
  • Instead of asking for credentials, Azure AD B2C silently logs in user
  • User is redirected back to home page

Why is the Azure AD B2C cookie not expiring and user not being asked to authenticate again ? I would assume that using the settings above in AD B2C should cause the user to re-login, which is my desired behaviour.

Note, The "Keep me signed in" option is disabled and cannot be set by the user.

Also,I am not using offline_access scope and hence a refresh token is not given to my app. So it is not the refresh token that is causing the issue.

Vicky
  • 1,107
  • 2
  • 13
  • 25

2 Answers2

3

You might be experiencing the same issue as I have. See the answer on Azure AD B2C logout after session timeout

IvanL
  • 2,475
  • 1
  • 26
  • 39
  • Thanks Ivan, but the policy that you set on AzureAD has no way of setting a rolling timeout, as you can on B2C. We want to have the user logged in as long as he is active. Once the user is not active, after a timeout, we want the use to be logged out. I also received the same answer from Microsoft support, but it seems the policy that you set on AD doesn't support rolling timeout but only absolute timeout. Do you know if there is a way out of this ? – Vicky May 23 '18 at 11:08
  • 1
    @Vicky As long as the user is active there will be a valid AD B2C session which is the first session to be checked on the Azure side it's only once your AD B2C session times out that Azure will check your Azure AD session (which is by default 365 days valid), changing this to 15 minutes resolves the problem because it's the underlying session which is used only by Azure itself and invisible for your applications. Have you had issues with the user being unexpectedly signed out after setting the policy like I described in my response? – IvanL May 24 '18 at 06:15
  • Thanks. Will try it out. – Vicky May 25 '18 at 01:41
0

As per my understanding, in your scenario described above the refresh token is still valid and will be used to acquire new ID token without user interaction.

Refresh tokens are security tokens that your app can use to acquire new ID tokens and access tokens in an OAuth 2.0 flow. They provide your app with long-term access to resources on behalf of users without requiring interaction with those users.

Reference Document - Azure AD B2C: Token reference

Mohit_Garg
  • 892
  • 5
  • 8
  • I am not using the offline_access scope so my app doesn’t get back the refresh token. So this case you mentioned is not happening. – Vicky May 23 '18 at 03:36